Last active
October 1, 2020 19:53
-
-
Save patrickceg/2b555da3142d1f909bc28cf6cc86e9c2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is my scratchpad for https://github.com/OWASP/wstg/issues/419 | |
Location of the article in question https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.md | |
Summary all in all looks good, but we should reference https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md#httponly-attribute | |
-------------------------- | |
Questions: | |
- HTTP in 2020? : Needs research | |
Technical: | |
- Wireshark?: Not really needed since you can point a mobile device at a proxy | |
- Browser debugging console?: Yes | |
-------------------------- | |
Existing article: | |
Summary | |
* What is testing for credentials transport | |
* Link to insufficient cipher strength | |
How to test: | |
* What it looks like when HTTP | |
* What it looks like while HTTPS | |
Grey-box testing which is more "remediation" | |
-------------------------- | |
Article changes: | |
1. Summary: | |
* Keep original frontmatter | |
* Links: insufficient cipher strength, unsecured cookie | |
2. How to test: | |
* Notes about proxy or browser in debug mode | |
* Log in normally, verify proxy / debugger mentions HTTPS for both the response and the reply | |
* Attempt to forced browse to HTTP login page | |
* Use OWASP ZAP or other tool to play a login request with HTTP and that should fail. | |
(Can use a test Jenkins server) | |
3. Rename Grey-Box Testing as Remediation | |
4. Check over the newest template and verify / change the naming of sections as needed | |
-------------------------- | |
Plan for testing: | |
* Set up Linux VM (probably OpenSUSE because it's the laziest to install with) | |
* Natively install some web thingie with both http and https | |
* Use my "router"'s CA to create the SSL cert | |
* Hopefully everything is doable through a browser in Dev mode | |
-------------------------- | |
Testing: | |
docker run --rm -p 8080:3000 bkimminich/juice-shop | |
Another possibility is HTTPS with MediaWiki https://www.mediawiki.org/wiki/Manual:$wgCookieSecure | |
My not so secret credentials for this | |
I'm keeping this in a public note because even if you do get my Juice Shop you will be in a | |
DMZ with the only other thing in there being an IPS and a Kali so I get to see what you're | |
up to :) | |
testuser@example.com | |
My33@Credential | |
Mother's maiden name: Alice | |
-------------------------- | |
It looks like Juice Shop will work for my example. | |
I'll capture the following cases: | |
HTTPS Login | |
Accessing a page with HTTPS | |
Test fail example: Force browsing to HTTP and logging in | |
Test fail example: Logging in, then force browsing to HTTP and the browser still submits the session token | |
To avoid too many examples, I'll just cite other places where you can have problems: | |
* Any use of HTTP the "I forgot my password" procedure | |
Looks like "copy request headers" and "copy response headers" from Firefox in debug mode are more than enough. | |
No ZAP or other tooling should be needed. | |
Example of an HTTP login: | |
Headers | |
POST /rest/user/login HTTP/1.1 | |
Host: site-under.test:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
Accept: application/json, text/plain, */* | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Referer: http://site-under.test:8080/ | |
Content-Type: application/json | |
Content-Length: 61 | |
Connection: keep-alive | |
Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss | |
POST data | |
{"email":"testuser@example.com","password":"My33@Credential"} | |
Response headers | |
HTTP/1.1 200 OK | |
Access-Control-Allow-Origin: * | |
X-Content-Type-Options: nosniff | |
X-Frame-Options: SAMEORIGIN | |
Feature-Policy: payment 'self' | |
Content-Type: application/json; charset=utf-8 | |
Content-Length: 838 | |
ETag: W/"346-Rr3NPnTL2JfPYKLbUtWoPfbKuoU" | |
Vary: Accept-Encoding | |
Date: Wed, 19 Aug 2020 02:43:14 GMT | |
Connection: keep-alive | |
Request headers HTTP | |
GET /rest/user/whoami HTTP/1.1 | |
Host: site-under.test:8080 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 | |
Accept: application/json, text/plain, */* | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Referer: http://site-under.test:8080/ | |
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU | |
Connection: keep-alive | |
Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU | |
If-None-Match: W/"b-/5bSboVjVhGw3qRgvUfZjE1r1Ns" | |
-------------------------- | |
Docker nginx HTTPS | |
https://docs.docker.com/network/bridge/ | |
https://nginx.org/en/docs/http/configuring_https_servers.html | |
server { | |
listen 443 ssl; | |
server_name site-under-test; | |
ssl_certificate www.example.com.crt; | |
ssl_certificate_key www.example.com.key; | |
ssl_protocols TLSv1.3; | |
return 301 https://site-under-test; | |
} | |
server { | |
listen 80; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443; | |
server_name site-under-test; | |
ssl_certificate /etc/nginx/cert.crt; | |
ssl_certificate_key /etc/nginx/cert.key; | |
ssl on; | |
ssl_protocols TLSv1.3; | |
ssl_prefer_server_ciphers on; | |
access_log /var/log/nginx/jenkins.access.log; | |
location / { | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
# Fix the “It appears that your reverse proxy set up is broken" error. | |
proxy_pass http://jenkins:8080; | |
proxy_read_timeout 90; | |
proxy_redirect http://jenkins:8080 https://site-under.test; | |
} | |
} | |
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins | |
docker network create jenkins-net | |
docker run --rm --name my-nginx --network jenkins-net --publish 443:443 --publish 80:80 --mount 'type=bind,src=/opt/nginx/nginx.conf,dst=/etc/nginx/nginx.conf,readonly' --mount 'type=bind,src=/opt/nginx/test-site.crt,dst=/etc/nginx/cert.crt,readonly' --mount 'type=bind,src=/opt/nginx/private.key,dst=/etc/nginx/cert.key,readonly' nginx | |
docker run --rm --network jenkins-net --name jenkins jenkins/jenkins:jdk11 | |
-------------------------- | |
Random Internet guides used: | |
https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/ | |
https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates | |
https://thomas-leister.de/en/how-to-import-ca-root-certificate/ | |
-------------------------- | |
Verification against task description: OK | |
-------------------------- | |
Verification against contributer guide template | |
Summary | |
Test Objectives - Added | |
How to Test | |
Remediation | |
-------------------------- | |
TODO: Read | |
-------------------------- | |
Verification against contributer guide style guide | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment